Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud Problem


  • Please log in to reply
15 replies to this topic

#1 PhoenixReneau

PhoenixReneau

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 11 June 2007 - 11:36 PM

Having a problem with this. Same as all the rest, nothing will touch it.
Here is my Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 12:31:09 AM, on 6/12/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hope this helps you help me.

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 12 June 2007 - 04:10 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum PhoenixReneau :thumbsup:

Before we can provide you with any further assistance,you first need to go here and install Service Pack 1;
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx
This will patch numerous security vulnerabilities in Internet Explorer and the Windows operating system.
As your machine stands right now it's exremely vulnerable to infection.
You need to get these updates installed first before we can proceed or we’ll both be wasting our time.

Note:
Do not install Service pack 2.
If you install SP 2 on an infected machine it will cause serious problems within the operating system.

Post a new Hijackthis log into your next reply.
Posted Image
Posted Image

#3 PhoenixReneau

PhoenixReneau
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 12 June 2007 - 06:32 AM

Sorry about that. I had just done a fresh install, and forgot to do SP1 in the rush to get stuff back to normal.
Here is my updated Hyjackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 7:26:24 AM, on 6/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Xfire\xfire.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 12 June 2007 - 06:46 AM

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


*****************

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option 1 – Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.

*IMPORTANT*
Do NOT run any other options until you are asked to do so!
Posted Image
Posted Image

#5 PhoenixReneau

PhoenixReneau
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 12 June 2007 - 07:01 AM

ComboFix 07-06-12.5 - C:\Documents and Settings\DarkAntagony\Desktop\ComboFix.exe
"DarkAntagony" - 2007-06-12 7:47:20 - Service Pack 1 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((( Files Created from 2007-05-12 to 2007-06-12 )))))))))))))))))))))))))))))))


2007-06-12 07:46 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-12 07:21 <DIR> d-------- C:\WINDOWS\Prefetch
2007-06-12 07:14 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-06-12 07:14 <DIR> d-------- C:\WINDOWS\ehome
2007-06-12 07:08 98,304 --a------ C:\WINDOWS\system32\oleprn.dll
2007-06-12 07:08 94,208 --a------ C:\WINDOWS\system32\odbccp32.dll
2007-06-12 07:08 91,136 --a------ C:\WINDOWS\system32\rastls.dll
2007-06-12 07:08 9,856 --------- C:\WINDOWS\system32\drivers\tunmp.sys
2007-06-12 07:08 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-06-12 07:08 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-06-12 07:08 87,304 --a------ C:\WINDOWS\system32\rdpdd.dll
2007-06-12 07:08 86,528 --a------ C:\WINDOWS\system32\wlnotify.dll
2007-06-12 07:08 86,016 --a------ C:\WINDOWS\system32\xactsrv.dll
2007-06-12 07:08 82,944 --a------ C:\WINDOWS\system32\smlogsvc.exe
2007-06-12 07:08 82,944 --a------ C:\WINDOWS\system32\psbase.dll
2007-06-12 07:08 81,920 --a------ C:\WINDOWS\system32\trkwks.dll
2007-06-12 07:08 8,192 --a------ C:\WINDOWS\system32\scrnsave.scr
2007-06-12 07:08 77,824 --a------ C:\WINDOWS\system32\wmpstub.exe
2007-06-12 07:08 77,824 --a------ C:\WINDOWS\system32\wmpshell.dll
2007-06-12 07:08 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-06-12 07:08 74,240 --a------ C:\WINDOWS\system32\rtcshare.exe
2007-06-12 07:08 71,168 --a------ C:\WINDOWS\system32\telnet.exe
2007-06-12 07:08 71,168 --a------ C:\WINDOWS\system32\storprop.dll
2007-06-12 07:08 71,168 --a------ C:\WINDOWS\system32\sdbinst.exe
2007-06-12 07:08 686,080 --a------ C:\WINDOWS\system32\opengl32.dll
2007-06-12 07:08 674,816 --a------ C:\WINDOWS\system32\sxs.dll
2007-06-12 07:08 667,648 --a------ C:\WINDOWS\system32\ss3dfo.scr
2007-06-12 07:08 66,560 --a------ C:\WINDOWS\system32\spoolss.dll
2007-06-12 07:08 66,048 --a------ C:\WINDOWS\system32\sigverif.exe
2007-06-12 07:08 638,976 --a------ C:\WINDOWS\system32\sstext3d.scr
2007-06-12 07:08 63,488 --a------ C:\WINDOWS\system32\srclient.dll
2007-06-12 07:08 62,976 --a------ C:\WINDOWS\system32\shgina.dll
2007-06-12 07:08 61,952 --a------ C:\WINDOWS\system32\webclnt.dll
2007-06-12 07:08 61,952 --a------ C:\WINDOWS\system32\sti.dll
2007-06-12 07:08 61,440 --a------ C:\WINDOWS\system32\odbccu32.dll
2007-06-12 07:08 61,440 --a------ C:\WINDOWS\system32\odbccr32.dll
2007-06-12 07:08 60,416 --a------ C:\WINDOWS\system32\wextract.exe
2007-06-12 07:08 60,416 --a------ C:\WINDOWS\system32\shimeng.dll
2007-06-12 07:08 6,144 --a------ C:\WINDOWS\system32\sensapi.dll
2007-06-12 07:08 58,880 --a------ C:\WINDOWS\system32\pautoenr.dll
2007-06-12 07:08 57,856 --a------ C:\WINDOWS\system32\raschap.dll
2007-06-12 07:08 569,344 --a------ C:\WINDOWS\system32\sspipes.scr
2007-06-12 07:08 56,832 --a------ C:\WINDOWS\system32\wzcdlg.dll
2007-06-12 07:08 56,320 --a------ C:\WINDOWS\system32\remotepg.dll
2007-06-12 07:08 534,016 --a------ C:\WINDOWS\system32\spider.exe
2007-06-12 07:08 530,432 --a------ C:\WINDOWS\system32\rpcrt4.dll
2007-06-12 07:08 53,248 --a------ C:\WINDOWS\system32\packager.exe
2007-06-12 07:08 53,248 --a------ C:\WINDOWS\system32\odbcconf.exe
2007-06-12 07:08 52,224 --a------ C:\WINDOWS\system32\secur32.dll
2007-06-12 07:08 511,488 --a------ C:\WINDOWS\system32\qedit.dll
2007-06-12 07:08 51,200 --a------ C:\WINDOWS\system32\wmerrenu.dll
2007-06-12 07:08 5,504 --------- C:\WINDOWS\system32\drivers\smbali.sys
2007-06-12 07:08 48,640 --a------ C:\WINDOWS\system32\vdmredir.dll
2007-06-12 07:08 48,128 --a------ C:\WINDOWS\system32\winsta.dll
2007-06-12 07:08 48,128 --a------ C:\WINDOWS\system32\reg.exe
2007-06-12 07:08 479,261 --a------ C:\WINDOWS\system32\vbscript.dll
2007-06-12 07:08 47,616 --a------ C:\WINDOWS\system32\utilman.exe
2007-06-12 07:08 446,464 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-06-12 07:08 442,398 --a------ C:\WINDOWS\system32\wmadmoe.dll
2007-06-12 07:08 44,032 --a------ C:\WINDOWS\system32\regapi.dll
2007-06-12 07:08 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-06-12 07:08 43,008 --a------ C:\WINDOWS\system32\ssdpsrv.dll
2007-06-12 07:08 420,864 --a------ C:\WINDOWS\system32\shimgvw.dll
2007-06-12 07:08 409,088 --a------ C:\WINDOWS\system32\vssapi.dll
2007-06-12 07:08 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-06-12 07:08 392,704 --a------ C:\WINDOWS\system32\ntmssvc.dll
2007-06-12 07:08 385,024 --a------ C:\WINDOWS\system32\sqlsrv32.dll
2007-06-12 07:08 384,000 --a------ C:\WINDOWS\system32\themeui.dll
2007-06-12 07:08 38,912 --a------ C:\WINDOWS\system32\wsnmp32.dll
2007-06-12 07:08 38,400 --a------ C:\WINDOWS\system32\ntmsapi.dll
2007-06-12 07:08 38,400 --a------ C:\WINDOWS\system32\ntlanman.dll
2007-06-12 07:08 364,544 --a------ C:\WINDOWS\system32\ssflwbox.scr
2007-06-12 07:08 36,352 --a------ C:\WINDOWS\system32\sens.dll
2007-06-12 07:08 357,376 --a------ C:\WINDOWS\system32\qdvd.dll
2007-06-12 07:08 34,304 --a------ C:\WINDOWS\system32\rcimlby.exe
2007-06-12 07:08 339,456 --a------ C:\WINDOWS\system32\usp10.dll
2007-06-12 07:08 334,848 --a------ C:\WINDOWS\system32\smlogcfg.dll
2007-06-12 07:08 33,280 --a------ C:\WINDOWS\system32\shmgrate.exe
2007-06-12 07:08 328,704 --a------ C:\WINDOWS\system32\oakley.dll
2007-06-12 07:08 32,768 --a------ C:\WINDOWS\system32\odbcad32.exe
2007-06-12 07:08 32,256 --a------ C:\WINDOWS\system32\umandlg.dll
2007-06-12 07:08 316,416 --a------ C:\WINDOWS\system32\zipfldr.dll
2007-06-12 07:08 311,327 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-06-12 07:08 31,744 --a------ C:\WINDOWS\system32\pid.dll
2007-06-12 07:08 3,338 --a------ C:\WINDOWS\system32\redir.exe
2007-06-12 07:08 297,984 --a------ C:\WINDOWS\system32\scesrv.dll
2007-06-12 07:08 296,448 --a------ C:\WINDOWS\system32\wmstream.dll
2007-06-12 07:08 294,912 --a------ C:\WINDOWS\system32\wmvdmod.dll
2007-06-12 07:08 274,432 --a------ C:\WINDOWS\system32\wmasf.dll
2007-06-12 07:08 27,136 --a------ C:\WINDOWS\system32\ssdpapi.dll
2007-06-12 07:08 266,752 --a------ C:\WINDOWS\winhlp32.exe
2007-06-12 07:08 264,704 --a------ C:\WINDOWS\system32\wzcsvc.dll
2007-06-12 07:08 260,608 --a------ C:\WINDOWS\system32\rpcss.dll
2007-06-12 07:08 254,976 --a------ C:\WINDOWS\system32\pdh.dll
2007-06-12 07:08 253,952 --a------ C:\WINDOWS\system32\wmpcd.dll
2007-06-12 07:08 253,952 --a------ C:\WINDOWS\system32\wmnetmgr.dll
2007-06-12 07:08 251,904 --a------ C:\WINDOWS\system32\strmdll.dll
2007-06-12 07:08 247,808 --a------ C:\WINDOWS\system32\wow32.dll
2007-06-12 07:08 24,576 --a------ C:\WINDOWS\system32\odbcbcp.dll
2007-06-12 07:08 24,064 --a------ C:\WINDOWS\system32\skeys.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-12 00:11:07 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-13 22:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}=C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll [2007-05-18 11:17]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"sysPersonalFirewall"=csrs.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"sysPersonalFirewall"=csrs.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysPersonalFirewall]
csrs.exe

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-12 07:52:41
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-12 7:54:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-12 07:54

--- E O F ---

-----------------------------------------------------------------------------------------------------------

SmitFraudFix v2.195

Scan done at 7:55:14.17, Tue 06/12/2007
Run from C:\Documents and Settings\DarkAntagony\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Xfire\xfire.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\DarkAntagony


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\DarkAntagony\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DARKAN~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Linksys NC100 Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 205.144.216.157
DNS Server Search Order: 205.144.217.51

HKLM\SYSTEM\CCS\Services\Tcpip\..\{06F257F0-C78A-4E0B-925A-17D281A4BA35}: DhcpNameServer=205.144.216.157 205.144.217.51
HKLM\SYSTEM\CS1\Services\Tcpip\..\{06F257F0-C78A-4E0B-925A-17D281A4BA35}: DhcpNameServer=205.144.216.157 205.144.217.51
HKLM\SYSTEM\CS2\Services\Tcpip\..\{06F257F0-C78A-4E0B-925A-17D281A4BA35}: DhcpNameServer=205.144.216.157 205.144.217.51
HKLM\SYSTEM\CS3\Services\Tcpip\..\{06F257F0-C78A-4E0B-925A-17D281A4BA35}: DhcpNameServer=205.144.216.157 205.144.217.51
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=205.144.216.157 205.144.217.51
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=205.144.216.157 205.144.217.51
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=205.144.216.157 205.144.217.51
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=205.144.216.157 205.144.217.51


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 12 June 2007 - 07:13 AM

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

***************************************

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Also post a new Hijackthis log,let me know how your pc is running now please.
Posted Image
Posted Image

#7 PhoenixReneau

PhoenixReneau
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 12 June 2007 - 08:15 AM

Process.exe;C:\Documents and Settings\DarkAntagony\Desktop\SmitfraudFix;Tool.Prockill;Moved.;
restart.exe;C:\Documents and Settings\DarkAntagony\Desktop\SmitfraudFix;Tool.ShutDown.11;Moved.;
build_dol.exe;C:\WINDOWS\system32;Trojan.MulDrop.6135;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Moved.;

---------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:10:22 AM, on 6/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 12 June 2007 - 10:14 AM

Whats happening now please,you haven't let me know :thumbsup:
Posted Image
Posted Image

#9 PhoenixReneau

PhoenixReneau
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 12 June 2007 - 11:08 AM

Seems that everything is working fine. I only have one concern left. The reason I formated in the first place was to get rid of a rootkit. I have two hard drives, one being storage with my installs, pictures, and music. For this install it was not used due to fear of something being on it as well. Any advice on that?

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 12 June 2007 - 12:56 PM

I have two hard drives, one being storage with my installs, pictures, and music. For this install it was not used due to fear of something being on it as well.

What exactly are you saying,is the drive used for storage still connected,is it still accessible from drive c:,if it is connected you've no worries.
Posted Image
Posted Image

#11 PhoenixReneau

PhoenixReneau
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 14 June 2007 - 07:18 AM

Yes I had two drives with one unplugged. That has been taken care of now, but I have another problem. backdoor.win32.sdbot.yx is being found by zone alarm. It is quarantining it when it finds it, but it just finds it again later. Also my task manager is being disabled as well.

Here is my Log.

Logfile of HijackThis v1.99.1
Scan saved at 8:12:26 AM, on 6/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Xfire\xfire.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 14 June 2007 - 07:47 AM

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.
Posted Image
Posted Image

#13 PhoenixReneau

PhoenixReneau
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 14 June 2007 - 10:45 AM

I can not post the whole thing due to length, But I can post the problem it found and tell you all the rest was clean.




AVCORE v1.0 (build 2409) (i386) (May 9 2007 18:01:21)

Scan plugins

14

Archive plugins

38

Unpack plugins

6

E-mail plugins

6

System plugins

1

Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions

Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes

Scanned File


Status

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\core.sys.vir

Infected with: Rootkit.Agent.EV

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\core.sys.vir

Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\core.sys.vir

Deleted

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 14 June 2007 - 10:50 AM

Hows your pc running now.
Posted Image
Posted Image

#15 PhoenixReneau

PhoenixReneau
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 14 June 2007 - 11:53 AM

Good at the moment. Everything seems to be back to normal. It is kind of strange for me to get hit like this. This is the first time I have ever been hit by anything near major. Thanks for the help, and if anything else comes up I will let you know.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users